Lower Costs, Bigger Benefits

Incorporating information technology into electronic security systems can bring you two welcome results: improved security capabilities and lower costs. In this article we’ll look at some of the technology breakthroughs that are bringing these results today.

Power Over Ethernet
The telecommunications industry has used a version of electrical power over network connections for many years to allow telephone service to continue i

That requires cameras and network infrastructure that are compliant with IEEE 802.3af, the standard published in mid-2003 that specifies how switches, routers and hubs should deliver power over standard Ethernet cabling to devices like IP phones, security systems and wireless LAN access points. In addition to the security benefits, eliminating separate power cabling to end devices such as cameras can cut installation costs by 50 percent or more.

Axis Communications, Sony and Toshiba have recently introduced PoE-compliant network cameras. “Power is the weakest link in a video surveillance system. PoE strengthens that link,” said Joe Cook, product manager for Toshiba Security & Network Video.
Another benefit for video systems is that changing a camera position no longer requires a new AC power installation. PoE makes it easier to experiment over time with camera positions to achieve ideal coverage results. Power can even be extended to selected access control devices.

802.3af defines a way to build Ethernet power-sourcing equipment (such as routers and switches) and powered terminals (such as IP telephones and IP cameras). The specification involves delivering 48 volts of AC power over unshielded twisted-pair wiring. It works with existing cable plant, including Category 3, 5, 5e or 6; horizontal and patch cables; patch-panels; outlets and connecting hardware, without requiring modification.

802.3af power sourcing equipment contains a detection mechanism to prevent sending power to noncompliant devices. Only terminals that present an authenticated PoE signature will receive power, preventing damage to other equipment.

More information on PoE can be obtained from the Power Over Ethernet Web site (see Quicklinks, p. 34), which publishes a regular newsletter related to PoE.

PKI—Old News Is Good News
Public key infrastructure is old news in the IT world. It also has a mixed reputation there, because at first it was heralded as a silver bullet that would almost magically enable all kinds of security capabilities. Instead of fitting PKI solutions to various applications, vendors often sold PKI as a security black box around which companies had to tailor their applications. That was expensive and often unworkable. In many quarters PKI got a bad name, but it wasn’t the basic technology that was the problem, it was the poor application of it. Over time PKI has quietly been resurfacing as part of very specific security applications such as virtual private networks.
PKI is a framework that provides a way to use public key encryption to securely send messages over a public network. Public key encryption uses two numerical keys that have a special mathematical relationship to each other. What you encrypt with one key you can decrypt with the other. This allows one key to be kept completely private and the other key to be published or distributed. Whichever key was used to encrypt the data cannot be used to decrypt it.

When security systems used proprietary protocols over closed RS-485 networks, the security of their messages was not an issue. Now that the industry is moving to public protocols over open networks including the Internet, secure messaging is a concern for system security as well as for privacy reasons. Generally speaking, the physical security industry lags behind IT in secure messaging. PKI can provide the solution, and IT companies are starting to step forward with offerings specifically for physical security.

PKI Toolkit for Access Control
Tumbleweed Communications is a recognized leader in providing secure Internet communication solutions for enterprises and government. Tumbleweed provides security solutions for e-mail protection, file transfers, and identity validation that allow organizations to safely conduct business over the Internet.

In 2004 Tumbleweed turned its attention to how its technology could be applied to physical security, in an effort to help organizations that were trying to use a single smart card-based system for both IT and physical access control. One result is a Tumbleweed toolkit that allows manufacturers to add PKI capabilities to access control software, access control panels and card readers. Tumbleweed provides a white paper about bridging physical and logical security at its Web site.

IP Readers
Isonas Inc. started in 1999 in Niwot, CO, to provide card readers that were compatible with cards from multiple manufacturers, including HID proximity cards. In 2001 Isonas became the first company to provide a panel-free, computer network-based security access control system that operated on an existing corporate LAN or WAN. Today, Isonas offers multi-protocol technology with IP-based readers (both wired and wireless) designed to stand alone or connect via a TCP/IP network to a Windows PC running the Isonas security management software.

Isonas eliminated the need for a separate access control panel by moving the cardholder database and door control functionality into the reader itself. This necessitated the strengthening of the readers, including the addition of advanced tamper-detection features that prevent access to the door control connections. A purely IP-based reader system that uses existing network infrastructure without the cost of separate access control panels can provide a significant cost reduction. Such systems should be attractive to IT solution providers, who can leverage the IT infrastructures they provide.

Security Monitoring Appliances
NetBotz, whose U.S. headquarters are in Austin, TX, currently has more than 2,000 customers using its security monitoring network appliances. In February of this year NetBotz introduced Surveillance, a Web-accessible application that runs on the NetBotz central server. Surveillance hosts a centralized data warehouse for images and clips captured by NetBotz monitoring appliances and third-party cameras. Users can quickly find and play back surveillance clips of interest and discard irrelevant archived video data. Especially when used with PoE cameras, NetBotz appliances facilitate the cost-effective expansion of security monitoring as IT infrastructure expands.

Web Services
Until recently, most security system integrations revolved around coupling databases, or outputting “access granted” and “access denied” transactions via serial or printer ports. These integrations were very project-specific. A small percentage of interfaces used distributed component object modem or object request brokers based on the CORBA specification. These integrations were static and could not automatically adapt to changes in the systems with which they were integrated.

To provide more flexibility and greater cost effectiveness than previous static integrations, the IT world took a new approach called Web services. A Web service is application or business logic that is accessible using standard Internet protocols. The standard protocols of Web services enable them to provide black-box functionality that can be used and reused without regard to how the service is implemented.

Web Services can be dynamically composed into applications stemming from capabilities looked up at runtime instead of being fixed by traditional static binding. Larger services can be built on top of sets of smaller services. The dynamic nature of the collaborations allow the implementations to be platform- and programming language-neutral, and communications mechanism-independent, while creating innovative products, processes and value chains. This is referred to as services-oriented architecture, and it is the architecture of the future for security system integrations. More information is available at
www.webservices.org.

Web Services for Network Security Appliance
S2 Security Corporation of Wellesley, MA, was founded by John L. Moss, former CEO and founder of Software House (now a unit of Tyco International), to develop network-ready products that integrate access control, alarm monitoring, video and temperature monitoring. The company’s first product, the S2 NetBox, is a network appliance that implements a complete, integrated, solid-state security management system that is operated securely from a Web browser. There is no front-end software to install.

In March of this year S2 announced the availability of a Web services-based application program interface for the NetBox. The Web services approach reduces initial integration costs and eliminates the kind of maintenance headaches that previous types of integrations could be subject to.

Building Automation Perspective
Applying the concept of moving intelligence out to the network edge (a concept which inspired the company’s name), NovusEdge provides the EdgeProtect product line for physical access control and asset protection monitoring through modular, scalable, intelligent IP-enabled network-edge solutions. Intending to allow building controls integrators to leverage their existing knowledge, NovusEdge provides a standards-based architecture that supports OPC (OLE for Process Control), BACnet over IP, LonTalk and Modbus protocols for integration with building automation systems. A single EdgeController device can provide all access control, alarm monitoring and video monitoring and recording functionality, but is first (and cost-affordably) configured to meet initial requirements, retaining the capability for easy expansion later if needed.

For maximum compatibility with corporate networks and high acceptability to IT departments, NovusEdge products use the following protocols for network communications: IP, TCP/IP, VOP/IP, IUDP, ICMP, IGMP, SMTP, ARP, FTP, and PPP. The NovusEdge access control software suite works with any server platform supporting Java 2—including Microsoft Windows, UNIX, Red Hat Linux, IBM AIX, and Sun Solaris. This breadth of operating system support provides maximum compatibility with customer IT department preferences.

IT Company Revolutionizes Physical Security
CoreStreet Ltd. of Cambridge, MA, uses established IT security technologies (PKI-based digital signatures and messaging that follow related IT standards) in a unique patented architecture for smart card-based access control systems. The benefits derive from using the cardholders as the network and using access control smart cards to carry system messages.

With the CoreStreet technology, a small percentage of strategically located readers are network-connected to the access control system front end. The remaining readers require no network connection because they are card-connected. Access cards carry messages from the card-connected readers (such as “access granted” or “access denied”) to the networked readers, which send them back to the access control system’s database.

Networked readers in turn pass along a revocation list via cards to the card-connected readers. The information on each card expires at a predetermined interval (usually daily), so any revocation list will be small because it only needs to cover the current day’s revocations. Network-connected readers are used to refresh the card information and are located so that the normal flow of traffic accomplishes the daily card refreshes.

What makes this approach possible is the simple but ingenious combination of secure messaging via cards, role-based access control (borrowed from the IT world), and rule-based access decisions by readers—all of which eliminate cardholder database lookups. The CoreStreet technology places access rules in the readers that specify which roles (such as Salesperson, Cleaner, or Shipping Clerk) have access at what times.

Using standards-based information security, proof of a cardholder’s roles is written to the access control smart card. The reader makes the access decision based upon a match-up of roles and rules when the card is presented. No access control panel or network connection is needed, because no database lookup is required (and door control hardware comes with the readers).

Eliminating the database lookup means that an unlimited number of simultaneous access decisions can be made by an unlimited number of readers. Thus a CoreStreet-enabled system can scale up to 1 million readers and 10 million cardholders, with central management of all access points, whether or not their readers are on the network.

Using cardholders as the network allows a significantly reduced network infrastructure, which can reduce the total cost of systems by 40 to 75 percent. This allows security system budgets to go much farther and provide higher security at lower costs.

The CoreStreet technology is being adopted by major industry manufacturers such as Honeywell, which rolled out its incorporation of the CoreStreet technology at its Honeywell Access 2005 conference. “We are really excited to partner with CoreStreet on this exciting technology,” said John Lorenty, president of Honeywell Access Systems. “We will now be able to offer our customers the ability to manage electronic control systems at stand-alone locations—from office buildings on corporate campuses to a factory or transportation hub halfway around the world. This provides our Pro-Watch enterprise users a higher level of security that was difficult or uneconomical to achieve until now.”

CoreStreet-enabled door locksets are also being developed by Assa Abloy.

Deploying an Emerging Technology Solution
Are there any rules of thumb regarding the deployment of these types of emerging technology solutions? Here are some helpful guidelines that have come from customers who have been involved in emerging technology projects.

Understand the solution from both the technological and the organizational perspectives. It is important to know not just how new technologies integrate with other systems, but how their functionality and operation will integrate with your enterprise. What will you be able to accomplish that you couldn’t accomplish before? Who are the stakeholders involved? Will the organizational culture be impacted? What kind of ongoing support will be required of both you and your vendor?

Start with small steps. Use pilot projects and phased project planning to minimize the impact and disruption to you and your organization, and to provide early learning with easily controllable projects.

Learn from others. Ask your vendor to put you in touch with other customers, so that you can learn from their experiences in advance of your own implementation.

Ray Bernard, PSP, is the principal consultant for Ray Bernard Consulting Services (RBCS), which provides high-security consulting services for public and private facilities. He is a technical consultant and writer who has provided pivotal direction and technical advice in the security and building automation industries for more than 17 years. This article is based upon material in his upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS, go to www.go-rbcs.com or call 949-831-6788.